A week after Adobe fixed a critical zero-day vulnerability in its Acrobat Reader, the company issued another patch after a researcher dug up a way to bypass the original fix.
This previous vulnerability (CVE-2019-7089) was fixed in Adobe’s regularly scheduled security update last week. But Adobe said that its recent patch for the sensitive data leakage vulnerability, which could enable information disclosure, had a hole.
“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe in its unscheduled Thursday update. “These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019.”
The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.”
The vulnerability allowed a PDF document to automatically send a server message block (SMB) request to an attacker’s server as soon as the document is opened. SMB protocols enable an application or user of an application to access files on a remote server. Embedded in these SMB requests are NTLM hashes (NTLM is short for NT LAN Manager).
The critical vulnerability was temporarily patched last week by 0patch before Adobe issued its official patch. “This vulnerability… allows a remote attacker to steal user’s NTLM hash included in the SMB request,” said Mitja Kolsek with 0patch in a Monday post. “It also allows a document to ‘phone home’, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.”
And while Adobe patched the flaw last week, a bypass for the fix, tracked by CVE-2019-7815, exists and can ultimately lead to information disclosure: “Successful exploitation could lead to sensitive information disclosure in the context of the current user,” according to Adobe’s update.
In a Feb. 13 Twitter exchange, Infuhr said that he had discovered a bypass for the patch and would report it to Adobe. Infuhr did not respond to a request for comment from Threatpost by publication.
No it does not seem to properly patched as I discovered a bypass. Going to report the bypass to Adobe
— alex (@insertScript) February 13, 2019
Impacted are versions of Adobe Acrobat and Reader for Windows and macOS – specifically, Acrobat DC and Acrobat Reader DC continuous, versions 2019.010.20091 and earlier; Acrobat 2017 and Acrobat Reader 2017 Classic, versions 2017.011.30120 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015, versions 2015.006.30475 and earlier.
The update received a “priority 2” rating, meaning that it resolves vulnerabilities in a product that has historically been at elevated risk – but that there are currently no known exploits.
Infuhr, who discovered the proof of concept for the original vulnerability, was also credited with reporting the issue.